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A bit string commitment protocol securely commits N classical bits in such a way that the 
recipient can extract only M < N bits of information about the string. Classical reasoning might 
suggest that bit string commitment implies bit commitment and hence, given the Mayers-Lo-Chau 
theorem, that non-relativistic quantum bit string commitment is impossible. Not so: there exist 
non-relativistic quantum bit string commitment protocols, with security parameters e and M, that 
allow A to commit N = N{M, e) bits to B so that A's probability of successfully cheating when 
revealing any bit and B's probability of extracting more than N' — N — M bits of information about 
the N bit string before revelation are both less than e. With a slightly weakened but still restrictive 
definition of security against A, N can be taken to be C'(exp(CA')) for a positive constant C. I 
briefly discuss possible applications. 
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I. INTRODUCTION 

As is by now well known, quantum information can 
guarantee classically unattainable security in a variety of 
important cryptographic tasks. Some no-go results have 
also been obtained, showing that quantum cryptography 
cannot guarantee perfect security for every task. We do 
not presently have a good characterisation of the tasks 
for which perfectly secure quantum protocols exist. In 
fact, we are not yet even able to characterise the range 
of cryptographic tasks for which perfectly secure quan- 
tum protocols might possibly exist. The main reason is 
that quantum cryptography involves more than devising 
quantum protocols for tasks known to be useful in clas- 
sical cryptography. The properties of quantum informa- 
tion allow one to devise new and cryptographically use- 
ful tasks, which have no classical counterpart. Moreover, 
reductions and relations between classical cryptographic 
tasks need not necessarily apply to their quantum equiv- 
alents. This means that there is a wider range of tasks 
to consider, and that no-go theorems may not necessarily 
be quite as powerful as classical reasoning would suggest. 

These remarks apply particularly to bit commitment, 
an important cryptographic protocol whose potential for 
physically secure implementation has been extensively 
investigated [1-12]. It is known that unconditionally 
secure quantum bit commitment is impossible for non- 
relativistic protocols [4-8]: that is, protocols in which 
the two parties are restricted to single pointlikc sites, or 
more generally, in which the signalling constraints of spe- 
cial relativity are ignored. On the other hand, uncondi- 
tionally secure bit commitment is thought to be possible 
between parties controlling appropriately separated pairs 
of sites, when the impossibility of superluminal signalling 
is taken into account. [10,11] 



While sustaining a bit commitment indefinitely via rel- 
ativistic protocols is practical with current technology 
[11], the constraints it imposes are not always desirable. 
Both parties have to maintain separated secure locations, 
and communications have to continue throughout the du- 
ration of the commitment. A further motivation for con- 
tinued study of non-relativistic protocols is that it is the- 
oretically interesting to characterise which secure quan- 
tum protocols can be implemented without relying on 
relativity. With these motivations in mind, we restrict 
attention to non-relativistic protocols in the rest of this 
paper. Rather than insert the word "non-relativistic" 
throughout, we generally take the restriction as under- 
stood below. 

Some variants of bit commitment, for which non- 
relativistic protocols are not known to be impossible, 
have previously been studied. [13,14] This paper consid- 
ers a different type of generalisation, bit string commit- 
ment, in which one party commits many bits to another 
in a single protocol. Two non-relativistic bit string com- 
mitment protocols, which offer classically unattainable 
levels of security against cheating, are described. 



II. BIT STRING COMMITMENT 

Consider the following classical cryptographic prob- 
lem. Two mistrustful parties, A and B, need a protocol 
which will (i) allow A to commit a string 0102 ... a„ of 
bits to B, and then, (ii) at any later time of her choice, 
reveal the committed bits. The protocol should prevent 
A from cheating, in the sense that she should have neg- 
ligible chance of unveiling bits different from the a.; 
without B being able to detect the attempted detection. 
In other words, A should be genuinely committed after 



1 



the first stage. The protocol should also prevent B from 
being able to completely determine the bit string. More 
precisely, it must guarantee that, before revelation, B 
has little or no chance of obtaining more than m bits of 
information about the committed string, for some fixed 
integer m < n. 

This (m, n) bit string commitment problem is a gen- 
eralisation of the standard bit commitment problem, for 
which n = 1 and m = 0. Clearly, a protocol for bit com- 
mitment would solve this generalised problem, since the 
protocol could be repeated n times to commit each of the 
tti, and B would be able to obtain no information about 
the committed string. Conversely, classical reasoning im- 
plies that a protocol for the generalised problem, for any 
integers m and n with m < n, could be used as a proto- 
col for standard bit commitment. For A and B could use 
any coding of a single bit a = /(ai, . . . , a„) in terms the 
n bit string such that none of the m bits available to B is 
correlated with a, and then use the protocol to commit 
A to a. 

Classically, then, {m, n) bit string commitment is es- 
sentially equivalent to bit commitment. At first sight, 

allowing A and B to use quantum information may seem 
to make no difference. But there are subtleties. One is 
that extracting information from a quantum state can 
generally be done in many different ways. Each of these 
generally disturbs the quantum state, so that different 
ways of information extraction are generally incompati- 
ble: after method one has been applied, method two may 
no longer give as much (or any) information. This leaves 
open the possibility of bit string commitment protocols 
in which B can obtain sonic^ in bits of information about 
the committed n bit string in many different ways, with- 
out A necessarily knowing which m bits of information 
arc obtained. A second subtlety is that if A commits 
a mixed state, a protocol can leave her almost perfectly 
committed to each bit in a string, in the sense that she 
is essentially \mable to vary the probabilities of revealing 
or 1 for any given bit, while leaving the actual bit val- 
ues undetermined until a measurement at the revelation 
stage. For a long enough string, this might be doable in 
such a way as to leave A almost completely uncommitted 
to the value of some joint functions of the string bits. 

Any attempt to use a secure quantum bit string proto- 
col to commit a single bit by redundant coding could thus 
fail: it could be that, for any given coding, either A or 
B can cheat. In other words, there is no obvious equiv- 
alence between quantum (to, n) bit string commitment 
and quantum bit commitment. The impossibility of un- 
conditionally secure quantum bit commitment does not 
necessarily imply that unconditionally secure quantum 
bit string commitment, with an analogous definition of 
security, is impossible. We now show it can be achieved. 



III. PROTOCOL 1 

Define qubit states Vo = |0) and Vi = sin^|0) -|- 
cos6'|l). We take 6* > to be small; 9 and r = n — m are 
security parameters for the protocol. 

Commitment: To commit a string a\ . . .an of 
bits to B, A sends the qubits il^ai , ■ ■ ■ , i'an > sequentially. 

Unveiling: To unveil, A simply declares the values 

of the string bits, and hence the qubits sent. Assuming 
that B has not disturbed the qubits, he can test the bit 
values a'^ claimed by A at unveiling by measuring the 
projection onto ipa', on qubit i, for each i. If he obtains 
eigenvalue 1 in each case, he accepts the unveiling as an 
honest revelation of a genuine commitment; otherwise 
he concludes A cheated. (As usual, we assume noiseless 
channels.) 

Security against A: Whatever strategy A fol- 
lows, once she transmits the qubits to B, their respective 
density matrices pi arc fixed. Let pj = (V-'jIPalV-'i) be the 
probability of B accepting a revelation of j for the i-th 
bit. We have 

p"+pI <cos2((7r-26')/4)+sin2((7r + 20)/4), (1) 

which is < 1 + 9 tor small 9. This is the standard def- 
inition of security against A for an individual bit com- 
mitment, with security parameter 9. In other words, A's 
scope for cheating on any bit of the string is limited to 
slightly increasing the probability of revealing a or 1, 
by an amount < 9, which can be made arbitrarily small 
by choosing the security parameters appropriately. A is 
committed to each individual bit, in this standard sense, 
although of course the protocol does not prevent her com- 
mitting quantum superpositions of bits or bit strings. 

Security against B: We assume that prior to 
commitment B has no information about the bit string: 
to B, all string values are equiprobable. He thus has to 
obtain information about a density matrix of the form 



(2) 



Holevo's theorem [15] tells us that the accessible informa- 
tion available to B by any measurement on p is bounded 
by the entropy 



(3) 



For any fixed ^ > 0, we have S{p) < n. For any fixed r, 
by taking n sufficiently large, we can ensure n — S{p) > r. 
So we can ensure that, however B proceeds, on average 
at least r bits of information about the string will remain 
inaccessible to him. 

By choosing n suitably large, we can also ensure that 
the probability of B obtaining more than n — r bits of 
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information about the string is smaller than any given 
6 > 0. A simple bound follows from considering the 
probability of B identifying all n bits. As each bit is 
equiprobably or 1, i?'s probability of identifying it is 
no more than if (i^^S-^); his probability of identifying all 
n is no more than If he obtains more than 

n — r bits of information about the string, his probabil- 
ity of identifying all n bits is greater than . Hence 
5 < 2'-(iJ(i+fi^))". 



IV. PROTOCOL 2 

Protocol 1 ensures bit- wise security against A, but uses 

a rather inefficient bit string coding which allows B to 
obtain almost all of the bit string before revelation. For 
large n, more efficient codings allow the security against 
B to be greatly enhanced, though with a weakened no- 
tion of security against A. 

We again take the security parameter ^ > to be small 
and write e = sin 6. For any 6 > and sufficiently large 
n, explicit constructions are known for sets vi, . . . , 
of vectors in iJ" such that \{vi\vj)\ < sva.6 for all i j, 
with the property that f{n) = 0(cxp(Cn)), where C is a 
positive constant that depends on 9. [16,17] (The use of 
these constructions for efficient quantum coding of clas- 
sical information has previously been noted by Buhrman 
et al. [18], who describe efficient quantum fingerprint- 
ing schemes which reduce communication complexity in 
the simultaneous message passing model.) A string of 
0{Cn) bits can thus be encoded by vectors in ff", such 
that the overlap between the code vectors for two distinct 
strings is always less than sin 9, suggesting the following 
bit string commitment protocol. 

Commitment: Let N be the number of bits that 
can be encoded in _ff" by the above construction. To 
commit a string a\. . .un of bits to B, A sends the state 
Vai...aN^ treating the index as a binary number. 

Unveiling: To unveil, A declares the values of the 
string bits, and hence the state sent. Assuming B has not 
disturbed the qubits, he can test ^'s claim by measur- 
ing the projection onto Voi...aiv If he obtains eigenvalue 
1, he accepts the unveiling as an honest revelation of a 
genuine commitment; otherwise he concludes A cheated. 

Security against A: As before, once A trans- 
mits a quantum state to B, its density matrix p is fixed. 
Consider some set ii,. . . ,ir of bit strings which A might 
wish to maintain the option of revealing after commit- 
ment. Let Pi be the projection onto Vi, let pi = Tr(/9Pj) 
be the probability of A successfully revealing string i, and 
write 

Q = Pi,+... + Pi^. (4) 



We want to bound Tv{pQ) for any density matrix p. 
This can be done by first maximising {Q)w = ^(^^^^^^ for 
any vector \w). Writing \w) = Wj\vij) + \v'^), where 
{v'^ =0 for j from 1 to r, clearly \v-^) = max- 

imises {Q)w So without loss of generality we can write 

I"'} = Ej -f^jK) with J2j = 1- 
Now 



where 

52 = '^WiWj{l - Sij){Vi\Vj ) 
ij 

and 

S3 = '^WiWk{l - 5ij){l - Sjk){vi\vj){vj \ vk) . 

ijk 

The Cauchy-Schwarz inequality gives us that 

52<e(r-l) S3<e\r-lf. 

Both bounds are simultaneously attainable, by setting 
Wj = for all j and ( Vi- \vi^) = e for all j, k. Also, 
it is easy to see that, provided (r — l)e < 1 (which we 
assume), the maximum of {Q)w is attained when ^2 and 
5*3 are simiiltaneously maximised. (Geometrically, the 
largest possible eigenvalue of Q arises when the Vi- bunch 
as closely as possible, and then the corresponding eigen- 
vector is the sum of the .) We thus have that 

{Q)n. < l + (r-l)e. 

More generally, since any state p can be written as a 
mixture of pure states, we have for all states 

Tr(pQ) < 1 + (r - l)e . (5) 

In other words, 

Pii < l + (r-l)e, (6) 

and for any fixed r, this can be made as close to 1 as 
desired by choosing 9 suitably small. 

So, if A is determined to reveal a bit string from some 
finite set of size r, her scope for cheating is limited to in- 
creasing the probability of revealing any given element of 
the set by a fixed amount. For any fixed r, that amount 
can be made arbitrarily small by choosing the security 
parameters appropriately. If B's concern is to prevent 
cheating of this type, for some predetermined r, the pro- 
tocol can guarantee him security. 

Security against B: Holevo's theorem implies 
that the information about the AT « Cn bit string acces- 
sible to B is at most logn bits. 



3 



V. DISCUSSION 

The bit string commitment protocols above use the 
properties of quantum information to guarantee strong 
levels of security to both the committer and receiver. 
They highlight another cryptographic application of 
quantum information: no (non-relativistic) classical pro- 
tocol can guarantee such security. They also highlight 
the fact that quantum cryptography can introduce dis- 
tinctions between tasks which are classically equivalent, 
such as bit commitment and bit string commitment. 

As a metaphor for the cryptographic uses of bit string 
commitment — in particular, of the second type of pro- 
tocol - - consider a situation in which A knows the com- 
bination to a lock, wants to be able to prove to B in 
future that she knows it now, but does not want to 
give B the ability to open the lock now. If she sends 
a bit string commitment of the combination now, she 
can prove her present knowledge later by opening the 
commitment. However, B, who can only get partial in- 
formation about the committed string, will not be able 
to deduce the combination from it. If the combination is 
sufficiently long, the security parameters for the bit string 
commitment are appropriately chosen, and A knows how 
fast B can try possible combinations, she can ensure that 
B remains siifficicntly ignorant about the combination to 
be almost certainly unable to break the lock during some 
fixed interval of her choice. 

As another illustration, suppose that A has just ob- 
tained a very high resolution image of something of in- 
terest to, but kept secret from, B. She may wish to be 
able to prove to B later that she had the image today — 
so that he will take her seriously enough to purchase her 
services in future — without revealing too much detailed 
information to B for free. A quantum bit string commit- 
ment protocol with suitable parameters could meet this 
need. 

One might think that both these applications could 
also be implemented securely classically, simply by al- 
lowing B to choose a random subset of the combination 
or image and asking A to provide the data correspond- 
ing to that subset. However, this would persuade B only 
that A is able to compute or obtain a dataset of the size 
of the subset. She might be able to do this with a device 
that extracts the combination digit by digit, or with an 
imaging device of restricted field, without actually being 
able to obtain all the data at the time she claims to have 
it. 

More generally, bit string commitment allows a sort of 
partial knowledge proof, in which A can establish to B 
her possession of some information — the factorisation of 
a number, the proof of a theorem, ... — while restricting 
the amount of information B can obtain. It also illus- 
trates the general possibility in quantum cryptography 
of iterating a protocol a number of times with a partial 



security guarantee that allows the parties to be certain 
that many or most of the bits involved are appropriately 
controlled. Practical cryptographic applications that re- 
quire bit commitment almost always involve strings of 
bits, and perfect security of the entire string may often 
not be essential. Moreover, quantum bit string commit- 
ment can be used on top of classical bit commitment 
schemes, offering an extra layer of classically unobtain- 
able security with a partial but unconditional security 
guarantee. It thus seems likely to be rather useful. 
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